Ability to sign SSH certificate with SHA2

[Aniderhofer]

Hello

I would like to add into Bless the support to sign the SSH certificates with a SHA2 algorithm , more specifically RSA-SHA2 512.
SSH certificate signed with SHA2 algorithm is supported and recommended by default since OpenSSH 8.2 release https://www.openssh.com/txt/release-8.2

I have created a POC using the Bless SSH sign code, successfully signing with RSA SHA2 512.
would love to contribute my work to Bless.

Thanks
Albert

[lpcalisi]

Hi Albert, i am developing a refactor of Bless with more features like audit, external authorization module, more handle of exceptions and i would like support SHA2 512, you can share it?

[albertniderhofer]

Se here the fix:

https://github.com/albertniderhofer/bless/commits/sha-2

[le0pard]

https://github.com/certonid/certonid (min version 0.7.0) support rsa-sha2-256 algorithm, which works with latest openssh.

[skiptomyliu]

Thanks @albertniderhofer your commit was immensely helpful. We've made some small changes to your commit: lyft#49

Primarily decoupling the public key type from the signing type. Otherwise, your original commit will change the public key from ssh-rsa to rsa-sha2-512. The public key shouldn't be changing, only the signature. Surprisingly you'll be able to use the generated cert (tested using ssh -i [cert] [server]), but certain clients wont be able to parse the public key (eg golang ssh's ParseAuthorizedKey) .